120 likes | 235 Views
Overview of the 802.10 SDE Protocol. Presented by Ken Alonge Chair, 802.10. Primary Goals of 802.10. Develop an interoperable security solution for all 802 MACs Security solution based on threat analysis (Annex 2A) Threat analysis determined security requirements
E N D
Overview of the 802.10 SDE Protocol Presented by Ken Alonge Chair, 802.10
Primary Goals of 802.10 • Develop an interoperable security solution for all 802 MACs • Security solution based on threat analysis (Annex 2A) • Threat analysis determined security requirements • Security protocol independent of crypto mechanism & key management • Security services selectable (must have either confidentiality or integrity, can have both) • Support bridged environments • Enable coexistence of protected & non-protected frames
Placement of SDE in the 802 Stack SYS MGT KEY MGT LLC USER STACK 1 USER STACK N Security Removed SDE Security Applied MAC
Current SDE Header Format INTEGRITY PROTECTED ENCRYPTED DA SA CLEAR HEADER PROTECTED HEADER DATA PAD ICV STA ID FLAGS FRAG ID SEC LABEL SDE Des SAID MDF
M = Mandatory, if Clear Header is selected O = Optional Clear Header Fields
Protected Header Fields O = Optional
SDE Header Format Modifications INTEGRITY PROTECTED ENCRYPTED DA SA CLEAR HEADER PROTECTED HEADER DATA PAD ICV Current Format STA ID FLAGS FRAG ID SEC LABEL SDE Des SAID MDF INTEGRITY PROTECTED ENCRYPTED DA SA VLAN TAG CLEAR HEADER PROTECTED HEADER DATA PAD ICV Revised Format X X X X SAID SEQ NO. MDF Pload EType FLAGS FRAG ID SEC LABEL X = May be deleted
SDE Designator • SDE designator is compatible with LLC • Going forward, use of an EtherType is more acceptable
SDE in a Bridged Environment Unprotected Data Environment Unprotected Data Environment Protected Data Environment X Y SDE Bridge A Non-SDE Bridge 1 Non-SDE Bridge N SDE Bridge B Trusted Enclave Untrusted Network Trusted Enclave
Purpose The purpose of this PAR is to update the Secure Data Exchange (SDE) Protocol specified in IEEE Std 802.10-1998, to accommodate newly identified security requirements for all current 802 MACs and delete unneeded header fields.
Scope The scope of this PAR is to make changes to the format and processing of SDE PDUs to: • Accommodate replay protection • Integrity protect the Destination MAC address • Integrity protect additional header fields, particularly the VLAN tag, as needed The current PDU format and processing will have to be modified to incorporate a sequence number; the DA will have to be included in the computation of the ICV, and; the VLAN tag (and any other required header fields) will be included in the computation of the ICV, if protection is required by VLAN tagging rules (which are to be specified). In addition, an informative annex will be developed that discusses various scenarios for securing Layer 2 bridged networks and a normative annex will be developed that defines an SDE profile specifying a single interoperable SDE configuration that must be supported by all vendors claiming conformance to the revised SDE specification.